networks and systems contain legacy applications and operating systems that make it difficult

networks and systems contain legacy applications and operating systems that make it difficult

to secure the payment data.

to secure the payment data.

+

[[Image:intro.png|center]]

[[Image:intro.png|center]]

+

+

+

FIGURE 5-1. Credit card data proliferation

+

+

But what if we took another approach? What happens when we throw out a lot of today’s

+

assumptions around electronic payments and e-commerce and assume that the merchant

+

shouldn’t have to store the data at all? What if we never even handed this sensitive information

+

over to the merchant in the first place? As we can see, one of the primary difficulties in securing

+

this data is identifying all the places to which it travels. But what if this no longer mattered?

+

Or at least mattered significantly less?

Current revision

INFORMATION SECURITY HAS ALWAYS BEEN ONE OF THE LARGEST BARRIERS to e-commerce.
Those of us who spend most of our waking moments thinking of new and different ways to
secure these systems and applications know it starts with the data. After all, it’s information
that we are trying to protect.

One of the primary challenges in e-commerce security is coming up with practical ways to
secure payment transaction data. This term means a lot of different things to a lot of different
applications, but for the purpose of this writing, let’s focus on credit card data such as account
numbers, security and CV2 codes, PIN numbers, magnetic stripe data, and expiration and issue
dates. We will also include extra data we deem necessary to make this process more secure,
such as to authenticate or authorize a transaction.

Let’s look at the possible points of failure for credit card information. When a consumer makes
a purchase using his credit or debit account where a card is not involved, whether online or
offline in a scenario such as a phone purchase, he supplies this data to the merchant in order
to prove he has the resources or credit to pay for the merchandise. This data passes through
various systems within and beyond the merchant environment through payment gateways,
back-office applications, acquiring banking networks and systems, issuing banks, and card
association networks.

Some of these merchants (affiliates) may resell items on behalf of other merchants, while other
merchants (packagers) bundle merchandise and services from various providers and resellers.
This currently means that the data must pass through all of the service providers and secondary
merchant systems as well, increasing many times over the number of places where sensitive
payment data is housed (see Figure 5-1). Finally, degrading safety further, many of these
networks and systems contain legacy applications and operating systems that make it difficult
to secure the payment data.

FIGURE 5-1. Credit card data proliferation

But what if we took another approach? What happens when we throw out a lot of today’s
assumptions around electronic payments and e-commerce and assume that the merchant
shouldn’t have to store the data at all? What if we never even handed this sensitive information
over to the merchant in the first place? As we can see, one of the primary difficulties in securing
this data is identifying all the places to which it travels. But what if this no longer mattered?
Or at least mattered significantly less?